Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Google Project Zero Continues Its Microsoft Zero-Day Assault

Google's Project Zero security research team publicly discloses another pair of Microsoft zero-day flaws. But what are the actual risks?

Google's Project Zero security research team has once again put Microsoft users at risk by publicly disclosing a pair of new zero-day vulnerabilities on Jan. 15.

Google's Project Zero has a policy of automatically disclosing vulnerabilities 90 days after they have been reported to a vendor. Google reported the two new security issues to Microsoft on Oct. 17, 2014, putting the 90-day deadline date for disclosure at Jan. 15. The two new security vulnerabilities include Google Security Research issue #127, which is identified as a security bypass flaw in Windows 7.

"You can impersonate an administrator's token as a normal user (through linked token or kidnapping a system token) and call the protected functions," Google's advisory states. "On Windows 8+ the SeTokenIsAdmin method has been changed to check for the impersonation level so it's not vulnerable."

Google's advisory on issue #127 also notes that "it isn't clear if this has a serious security impact or not."

Further reading

In a Microsoft statement emailed to eWEEK, a Microsoft spokesperson commented that Microsoft is not planning on addressing Google Security Research issue #127, which may allow access to information about power settings, with a security bulletin.

The second zero-day is Google Security Research issue #128, identified as a security bypass, information disclosure flaw.

"The function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer," Google warns in its advisory. "The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session."

For its part, Microsoft isn't too worried about either flaw, though a fix is in the works for issue #128. "We are not aware of any cyberattacks using the two cases publicly disclosed," the Microsoft spokesperson stated.

Microsoft noted that, while it is working to address the CryptProtectMemory bypass issue (Google Security Research issue #128), it is not a flaw that is easily exploitable.

"Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first," Microsoft's spokesperson stated.

The two new zero-day flaws disclosed by Google Project Zero bring the total tally of zero-day Microsoft flaws that the Google group has publicly revealed to four. On Dec. 30, Google chastise Google over its disclosure policy.

As it turns out, both the Dec. 30 and the Jan. 11 flaws were fixed by Microsoft in the first Patch Tuesday of 2015, which came out on Jan. 13.

"I think there must have been a problem in the communication between Microsoft and Google because it seems that the patch was available within a quite short timeframe of the 90-day limit date," Wolfgang Kandek, CTO of Qualys, told eWEEK on Jan. 13.

Given the two new issues disclosed on Jan. 15, it would appear that the communication between Microsoft and Google on coordinated disclosure has yet to improve.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.